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CS7) Apparatus and methods for maintaining a centralized data log 11091 for a distributad computar^yfitam 
[100] utin^ng more than ona typft of opw^trng system I125,135,1^1« The present patent document dteclosea 
techniques for transfirring and storing log d9ka (3001 acro«$ different ptetforms end the aggiegation bf that log 
data 1300] Into one location whar^n the processes deeding the log data 1300] are a9cacut»d 1^ operating 
systems 1125,135^165) which are not limited to ba^g of the same type. Thus* this aggregation mechanism is 
designed to allow muftlpla processes 1130,160] operating on diverse kinds of systams [140.170] to log to a 
central system 1116). which itself may be on any kind of system. An administrator can monitor fh>m a single 
source the operation of a distributed computer system [100]^ as for example a distributed management tool, 
whose components may t>e distributed across a network [190] end operatlno on multiple, geographjcelty 
dispefsed computers (140,1701 
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2366050 

AGGREGATION OF LOG DATA INTO 
CENTRALIZED DATA LOG 

5 FIELD OF THE INVENTION 

The present invention relates generaUy to networks of coroputw systems and, 
moie particulariy, to the logging of infonnation regarding the activities of the syste^^ 

10 

BACKGROUND OF THE INVENTICMJ 

• In order to monitor the progress of any system, it is dedrable to have infomiBtion 
about the activities of the system. SiMsh information, provided ina manner which collects 
15 iiovertimemtoonelocalbniscaUedalog. The advent of distributed systems opeiafing 
on networks, in particularths Internet, has presented new difficulties due to the feet that 
each individual system maintains its own sqarate, local log. Thus, in order to investigate 
operation of the systan as a whole, system administrators have been forced to open and 
lead several difiereut logs. Hic system administrator's job is made especially difficult 
20 in trying to conelate the timing of several events which were recorded in differing logs. 
As an added complication, some of these ^ogs may be stored on computers remotely 
located fiom the system administrator. In addition, formal of the various logs differ 
ftom one anofiier. as well as the platfonns on virtnch the logs are stored. 

A utility avffllable on UNIX systems is Syslog wWch allows multiple dispersed 
25 conqxments to log to a tingle system. However since it is UNIX only, Syslog does not 
permit systems having operating qrstenis o*er ftan UNDC to write to a coinmon log. 

Thus, there is a need, in environments made up of multiple components which 
operate semi-auionoraously, to have the log infonnation generated t>y these components 
collected into a centrally located log v(Mdi can be eaaly accessed by the systean 
30 adnunistiator. 

1 
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SUMMARY OF THE INVENTION 

The present patent document discloses t^hniques for aggregating log data m a 
distributed system. Previous methods for storing log data have either relied \ipon 
S maintaining individual, logs for each individual process on the bcal ^stem or a central 
log fbr distributed systems whcrrin cadi individual system is executed by the same type 
operating system. 

Disclosed in vaiioiis embodiments arc apparatus and methods fbr gathering eveat 
data by a process executed by an operating system on a computer system^ transferring 

10 that data to a logging process executed by an operating system on another computer 
system wherein the logging process operating system is intrinsically different from the 
operating system of the process that detected the events and storing diat data in a data log 
on the logging process computer systentL Provision is also made for gathering, 
transferring, and storing event data for processes running on the computer system on 

] S v^ch the data log is located. A representative data strucmre for the oilries in the data 
log is also disclosed. 

The disclosures of the present patent document provide two primary advantages 
over the prior art: (1) logging of log data across different platforms and (2) aggregation 
of log data into one locadon. This aggregation mechanism is designed to allow multiple 

20 elements operating on divexse kinds of systems to log to a central system, ^idti itself 
may be on any kind of system. An administrator can monitor the operation of a 
distributed system, as fbr example a distributed management tool, whose components 
may be distributed across a netwoik and operatiDg on multiple, geogra^cally dispersed 
computers. 

25 Other ejects and advantages of the present invention will become apparmt &om 

the following detailed description, taken in conjunction mth the accompanying drawings, 
illustrating by wsty of example the principles of the invention. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings provide visual representations which will be used 
to mDr« fully describe the invention and can be used by those skilled in the art to better 
5 understand it and its inherent advantages. In these drawings, like reference numerals 
identify correspondiiig elements and: 

Figure 1 is a drawing of a distributed compater system having a centralized data 
log as described in various representative embodiments of the present patent document 

1 0 Figure 2 Js a drawing of anoflwr distributed computer system having centralized 

data log as described in various representative embodiments of the present patent 
document. 

Figure 3 is a drawing of an entry for a data structure for the centralized data log 
as described in various rq)resentative embodiments of the present patent docum^t 
IS Figure 4 is a flowchart of a method for writing to the centralized data log of 

figure I as described in various representative embodiments of the present patent 
docmnei^t. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

M ahovra in the drawii«s for purposes of illustration, the present patent 
document relates to a novel method for aggregating log data in a distributed system. 

5 Previous methods for storing log data for distributed systems have either relied upon 
maintaining individual logs for each individual process on its own local fi>'stcin or a 
central log wherein each individual system w*ich accumulates log data is executed by 
a member of the same qpemting system family. Embodiments disclosed herein are not 
limited by such constraints. In paiticulart a process accumulatbg event data for stomge 

to in the central log may be running, not only on a remote computer^ but also on an 
operating system wMch differs significantly from the operating system of the logging 
procBM- Other processes which accumulate such event data in the distributed system 
may be ftoher executed by operating systerns of even diff^ lathe 
following detailed description and in the several figures of the drawings, like elements 

IS are identified with like re&rence numerals. 

Figure 1 is a drawing of adisuibuted computer system 100 havinig a centralized 
data log lOS as described in various representative embodiments of the present patent 
document In a first prefenxd embodiment as shown in figure 1, the centralized data log 
105» also referred to herem as the data log 1 05^ is stored in a computer memory 1 10. also 

20 referred to herein as a computer readable memory device 110, on a log computer system 
115. A log process 120, also referred to herein as a log program 120, executed by a log 
operating system 125 stores daia in the dau log 105, A first computer process 130, also 
referred to herdn as a fiist computer program 130. is executed by a fust operating sy^sm 
135 on a first computer system 140, The log operating system 12S may d!&r 

2S intrinsically in type from the first operating system 135. When the first computer process 
130 detects a first event 145 not shown in figure 1, the first computer process 130 
transmits description of the first event 145 as a first event description ISO to the log 
process 120 via a network 190. However, it is possible that means other than (be netwodt 
190 could be used to transmit Ite &st event description 150 to the log process 120, ^ 

30 example storing data on a magnetic disk and physically transferring the disk to the log 
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conqjutcr system 115. The log process 120 stores the fu^ event description 150 in the 
data log 105. In the first preferred embodiment, the log operating system 125 is 
intrinsically different from the first operating system 135. It Is also posable. that the 
computer memory 110 comprising the data log 105 could be physically located on a 

5 computer ^siem located remotely from the log computer system 115, 

Also shown in figure 1 is a second computer process 160* also refercedtoherem 
as a second computer program 160, executed by a second operating system 165 on a 
second coniputer system 170, The log operating system 125 may or may not intrinacally 
diffa in type ftom the second operating system 165, and the second operating system 165 

10 may or may not intrinacally differ in type from the first Whenthe 
second ooniputer process 160 detects a second event 175 not shown in figure 1, the 
second computer process 160 transmits description of the second event 175 as a second 
event descciptiaa 180 to the log process 120 via the network 190. However, it is possible 
that means other than the network 190, as for e^cample storir^ data onti magnetic disk 

IS and physically tiansfening the dbk to the log computer system 115, could be used to 
transmit the second event description 180 to the log process 120. The log process 120 
stores the second event description 180 in the data log 105. In a representative 
embodiment, the second operating system 165 is intrinsically diiferent fiom the fast 
operating system 135. In another representative embodiment, the second operating 

20 ' system 165 is intxinacaUy different from the log operating system 125. And in yet 
another representative embodiment^ the second operating system 165 is inbrinsically 
different fhun the fhst operatins system 135 and intrinsically difierenC from the log 
operating system 125, 

Figure 2 is a drawing of another distributed computer system 100 having 

25 centralized data log 105 as described in various representative embodiments of the 
' present patei^t document In a second preferred embodiment as shown in figure 2, the 
dstalogl05isfiDrediatheGOmputermemoiyllOoathelogcomputer$ysteml^^^ The 
log process 120 executed by log operating system 125 stores data in the data log 105. 
The first computer process 130 is execute by the fiist operating system ^ 

30 computer system 140. When die first computer process 130 detects the first event 145 
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not shown in figuw 2, the first computer process 130 transmits description of the first 
event 145 as the first event description 150 to the log process 120 via the network 190. 
However, it is possible that means other than the network 190, as for example storing ■ 
data on a jnagnetic disk and physically transferring the data to the log computer system 

5 115, could be used to transmit the first event description ISO to the log process 120. The 
log process 120 stores the first event description 150 in the data log 105. In the second 
preferred embodiment, the log operatir^ system 125 is intrinsically difierent from the 
first operating system 135. 

Also shown in figure 2 is an additional log system process 260 executed by the 

10 log operating system 125 on the log computer system 115. When the additional log 
process 260 detects an additional event 275 not shown In figure 2, the additional log 
system process 260 transmits description of the additional event 275 as an additional 
event description 280 to the log process 120. The log process 120 stores the additional 
event descriptian 2S0 in the data k>g 105. In a representative embodiment, the addidonat 

15 log system process 260 transmits the adcGtional event description 280 to the log process 
120 via the network 190. In another representative embodiment, the additLonal log 
system process 265 transmits the additional event description 2S0 to the log process 120 
via paths internal to tiie log computer system 115* 

Figure 3 is a drawing of an entry for a data striu: ture 3 0 0 for the central! zed data 

20 log 105 as described in various representative embodiments of the present patent 
document Tbe eotry for the data structure 300 comprises a system identification 310 aod 
a component identification 315» Hie component Identification 315 identifies the 
component which detected the event logged* and tiie system identification 310 identifies 
the system on ^chtiiat component is located. The data structure 300 fiirfher comprises 

25 event time 320 viAda. spedfies the clock time at which the event x>ccuncd, and event data 
330 which provided information to die log user regarding the nature of the event detected 
and subsequentiy recorded in tbe data log 105. Other items could be included in the data 
structure 300, as fi>r example operating system and computer system identifieatioiL Also, 
(be event time 320 could include tite date of the event, as well as the time of day at which 

30 the event occurred. Data structure 300 entries into the centralized data tog 105 could be 
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entered into the ccfltraUzcd data log 105 in event time 320 order or as received the 
caitrallzed data log 105. They could further be grouped by component identification 315 
and/or system identification 310. In pmctice, the component could be, for example, a 
software agentp and the sy$tcm could be the jrfiyaeal system hardware on which the 
5 software agent is operating. 

Figure 4 is a flow chart of amethod 400 for writing to the centralized data log 105 
of figure 1 as described in various represcnlativ&.embodiments of the present patent 
document. The method 400 of figure 4 could be implemented as software processes on 
distributed computer system 100* 
1 0 In block 410 the first computer process 130 executed by the first operating system 

135 detects tiie first event 145. Block 410 then transfers control to block 420. . 

In block 420 the first computer process 130 prepares the first event description 
ISO. Block 420 then transfers control to block 430. 

In block 430 tiie first event description ISO is transmitted to tiie log process 120 
IS executed on the log conaputer system 115 by the log operating ^em 125. Block 430 
then transfers control to block 440. 

In block 440 the l<>g process 120 receives the first event description 150 ftom tiie 
first computer process 130. Block 440 then transfers control to block 450. 

In block 450 the log process 120 stores the event infbrmation in the data log lOS 
20 Block 450 is the tenninatii^ stq> in the method. 

While the metiiod 400 of figure 4 has been described in temis of the first 
conqyuter process 130 executed by the first operating system 135 on the fust computer 
system 140, it will be understood that tiie identical method can be followed for the second 
computer process 160 of figure 1 executed by the second operating system 165 on the 
25 second computer system 170, as well as for tiie additional log system process 260 of 
figure 2 executed by the log operating system 125 on the log computer sy^em 115. 

In tepresentativc ^bodiments the present patent document describes metiiods 
wherdn data be logged amss systems of tUverse implementationa to a log on any 
kind of system. ThU5» tiie implementations provide two primary advantages over the 
30 prior art; (1) logging of log data across different computer platforms and (2) aggregation 
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of log data into one location. This aggregation mechanism is designed to allow multiple 
elements operating on diverse kinds of systems to log to a central system, which itself 
may be on any kind of system. An administrator can monitor the operation of a 
distributed system, as for example a distributed n^Mgemenl tool, whose components 
5 may be distributed amss a network and (^crating on muldple, geograj^calty dispersed 
computers. 

While the present invention has been described in detail in relation to preferred 
embodiments thereof the described embodiments have been presented by way of 
example and not by way of limitation. It v/ill be understood by those skilled in the art 
1 0 that various changes may be made in the form and details of the described embodiments 
resuldng in equivalent embodiments that remain within the scope of the appended claims. 
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5 



What is claimed Is: 



10 



A computer program storage medium readable by a compixter, tangibly 
embodying a cotnpuier program of instzuctioas executable hy the 
computer to perfocm method steps for storing ev^ data [33fi] in a 
ceotxalized data log {105) in a distributed computer ^stam [100], tbe 
steps comprising: 

detecting a first event 1145] by a first con^ter process [130], 
^dierein the fiist oonq>ut6r process [130] is executable by a first 
operating system [US]; 



preparing a first event description [ISO], \^erem the first event 
12 description [ISO] describes the first event [145]; 

14 transmitting the first ervent description [150] to a log process 

[120], \itoein the log process [120] is executable by a log 

16 operating system [125], wheredn the log opcrafing system [125} 

difibzs mtimsicaUy in type fiom the first operating system (1^ 

18 

zeceivii^ the first event description [150] by ^ log proc^ 
20 [120); and 
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storing the first event descr^tion (ISO] b the centialized data log 
22 (105). 

2. The computer progiam storage medium as recited in claim 1 , providing 
2 the first event description [150] is transmitted firom the fii^ computer 

process [130] to the log process {120] via a netwod: [190]. 

3. The computer progcam Storage medium as recited in claim l, the steps 
2 flirtfacr comprising: 

4 detecting a second event [175] by a second conDiputer process [160], 

wherein the second computer process [160] is executable by a second 
6 operating system [165]; 

8 preparing a second event description [180), wherein the second event 

description [180] describes the second event [175]; 



10 



12 



14 



transmitdng the second event description (180] to tiie log process [120]; 
receivbg the second event description [180] fay the log process [120]; and 



storing the second event description [ISO] in the centzalized data log 
16 [105]. 

4. The computer program storage medium as recited m claim 3, providii^ 
2 second event description [180] is transmitted firom the second 

cosqiuter proces [160] to the log process [120] via a network [190). 

5. The computerprogram storage medium as tedted in claim 3, providing 
2 the second operadng system [165] difSsc intzinaically in type from ^ 
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fiist opeiBtiiig system {135]. 

6. The compiiter program storage medimn as recited in claim 3^ pioviding 
2 the second opeiatnig system (1^ differs intrinsically in &om the 

log operating system [1251. 

7. A computer readable memoiydei^ce [110] encoded widl a data sttt^ 
2 [300] fbr transferring data between a first coQipu^ 

log process 1120), the first computer process [130] having functions for 
4 transfeiring an event descripdon [ISO] to the log process [120], the 

functions having associated paramctcra, the ddta structure poO] having 
6 entries, each entry containing: 

8 event data P30]<wheiein the event data [330] describes a detected 

[1451; 

10 

a conaponent identiScaiion [315], wherein ^e component identification 
12 [315] idendfies a component detecting the event [145] and wherein the 

event [145] is described by the event descripdon [150]; and 

14 

a system identificalion [310]^ wherein the system idmtifieation [310] 
16 identifies a system, wherein ^be syskm conaprises the component 

detecdog the event (145). 

8. Hie computer readable memoiy device [110] as zedted in chum 7, 
2 providing the data structure [300] further contains ^ event time [320], 

i?4ieran the event time [320] is the dock thno of cvmt [145] occurrence, 

9. A (fistributedoonqriiter system [100] for storing data» comprise 
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a first computer process [130] executable by a &$t operatit^ system 
4 [1351; 

6 a log process [120) executable by a log opeiatiiig system [125]^ wherein 

&e kg opoQtuig system [125] differs btiizisi 
8 system [135]; and 

10 a centralized data log [105] stored in a CQmpoter memory [^10]^ wherein 

the fiist computer pnTcess [130] coznprises ftmctions for transnttting a 

12 first event description [ISO] to the log process [120] and \/«1»rein the log 

process [120] comprises fimc^ons for recdving die first event dsscriptiM 

14 [ISO] fiom the fiist computer process [130] and for storing tiie first event 

description [ISO] in the data log [IDS]. 

1 0. Ths (fistiibuted computer system [1 00] as recited in claim 9» whenein the 
2 first event des cripdon [ISO] is transmitted fiom the first computer process 

[130] to fhe log process [120] via a network [190]. 
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